Protecting against a blind injection attack – Brocade TurboIron 24X Series Configuration Guide User Manual
Page 1061
Brocade TurboIron 24X Series Configuration Guide
1027
53-1003053-01
Protecting against TCP SYN attacks
•
If the RST bit is set and the sequence number is outside the expected window, the device
silently drops the segment.
•
If the RST bit is exactly the next expected sequence number, the device resets the connection.
•
If the RST bit is set and the sequence number does not exactly match the next expected
sequence value, but is within the acceptable window, the device sends an acknowledgement.
Protecting against a blind TCP reset attack using the SYN bit
In a blind TCP reset attack, a perpetrator attempts to guess the SYN bits to prematurely terminate
an active TCP session.
To prevent a user from using the SYN bit to tear down a TCP connection, the SYN bit is subject to
the following rules when receiving TCP segments:
•
If the SYN bit is set and the sequence number is outside the expected window, the device
sends an acknowledgement (ACK) back to the peer.
•
If the SYN bit is set and the sequence number is an exact match to the next expected
sequence, the device sends an ACK segment to the peer. Before sending the ACK segment,
the software subtracts one from the value being acknowledged.
•
If the SYN bit is set and the sequence number is acceptable, the device sends an
acknowledgement (ACK) segment to the peer.
Protecting against a blind injection attack
In a blind TCP injection attack, a perpetrator tries to inject or manipulate data in a TCP connection.
To reduce the chances of a blind injection attack, an additional check on all incoming TCP
segments is performed.
Displaying statistics about packets dropped
because of DoS attacks
To display information about ICMP and TCP SYN packets dropped because burst thresholds were
exceeded,enter the following command.
Syntax: show statistics dos-attack
To clear statistics about ICMP and TCP SYN packets dropped because burst thresholds were
exceeded,enter the following command.
TurboIron#clear statistics dos-attack
Syntax: clear statistics dos-attack
TurboIron#show statistics dos-attack
---------------------------- Local Attack Statistics --------------------------
ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count
--------------- ---------------- -------------- ---------------
0 0 0 0
--------------------------- Transit Attack Statistics -------------------------
Port ICMP Drop Count ICMP Block Count SYN Drop Count SYN Block Count
----- --------------- ---------------- -------------- ---------------
11 0 0 0 0